Commit Graph

775 Commits

Author SHA1 Message Date
Florian Roth
b7ac36e6ab Merge branch 'master' into rule-devel 2020-07-01 09:04:46 +02:00
Florian Roth
f2587791f2 rule: suspicious rar flags 2020-07-01 09:04:26 +02:00
Florian Roth
eb3a6e86af
Merge pull request #867 from HarishHary/suspicious_powershell_parent_process
New Rule: Suspicious powershell parent process
2020-06-30 10:00:28 +02:00
Harish SEGAR
9c74018e12 Added new rule for pwsh_xor_cmd (sysmon) 2020-06-29 22:18:25 +02:00
Harish SEGAR
5e740fd7b2 Added new rule for pwsh_xor_cmd (sysmon) 2020-06-29 22:13:49 +02:00
Florian Roth
5a11ef90d0
rule reorganized 2020-06-29 21:24:47 +02:00
Harish SEGAR
1a088425f9 Fix rules. 2020-06-29 20:42:35 +02:00
Florian Roth
bb214f5832 rule: Explorer Root Flag Process Tree Break 2020-06-29 12:07:15 +02:00
Furkan ÇALIŞKAN
b091e3b1c4
Update for new method
Update for method mentioned in https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins
2020-06-22 01:06:34 +03:00
Florian Roth
e1225784f7 fix: fixed indentation 2020-06-19 09:54:08 +02:00
Florian Roth
62632db818 refactor: added variant to IE rule 2020-06-19 09:53:35 +02:00
Florian Roth
5cb6f5da9d fix: title adjusted 2020-06-19 09:39:11 +02:00
Florian Roth
b8a5cd4787 Disabled IE Security Features 2020-06-19 09:37:10 +02:00
Florian Roth
da060bfb90 Ke3chang rule 2020-06-19 09:36:54 +02:00
Ivan Kirillov
b343df2225 Further subtechnique updates 2020-06-17 11:31:40 -06:00
Ivan Kirillov
5c0bb0e94f Fixed indentation 2020-06-16 15:01:13 -06:00
Ivan Kirillov
0fbfcc6ba9 Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00
Florian Roth
87053502a3
Merge pull request #839 from rtkbkish/fix-double-backslash
Fix match for double-backslash
2020-06-15 20:19:56 +02:00
Florian Roth
46bd56a708
Merge pull request #837 from rtkbkish/fix-win-invoke-obfuscation
Fix logsource field name from service->category
2020-06-15 20:18:53 +02:00
Brad Kish
f196046b3d Fix match for double-backslash
To match a double-backslash you actually need three backslashes, since two
backslashes gets reduced to one.
2020-06-15 13:39:50 -04:00
Brad Kish
422b2bffd7 Fix rules with incorrect escaping of wildcars
A backslash before a wildcard needs to be escaped with another backslash.
2020-06-15 13:38:18 -04:00
Brad Kish
8d58c8f5c8 Fix logsource field name from service->category
The rule win_invoke_obfuscation_obfuscated_iex_commandline has the
wrong field name for the "process_creation" tag. Rename from "service"
to "category"
2020-06-15 13:18:05 -04:00
Iveco
40f0fd989d - moved to "process_creation" folder instead of "sysmon"
- renamed .yml file
2020-06-11 19:21:17 +02:00
Florian Roth
97c45f9d46
Merge pull request #812 from tliffick/master
added new rules for malware
2020-06-10 17:37:19 +02:00
Florian Roth
96309d247b
fix: cosmetic fault 2020-06-10 16:41:03 +02:00
Florian Roth
6e4aa01baa
Cosmetics 2020-06-10 16:36:17 +02:00
Florian Roth
13c7d40a22
Cosmetics 2020-06-10 16:35:41 +02:00
Florian Roth
0c2f2fe6df
Merge pull request #816 from Neo23x0/rule-devel
merged Cyb3rWarD0g's rules
2020-06-06 16:27:59 +02:00
Florian Roth
d3e261862d merged Cyb3rWarD0g's rules 2020-06-06 15:42:22 +02:00
Florian Roth
72deaa98f5
Merge pull request #815 from Neo23x0/rule-devel
Rule devel
2020-06-06 14:19:37 +02:00
Florian Roth
2e77e65285 rule: Covenant launchers 2020-06-05 11:03:28 +02:00
Trent Liffick
6c8c0cd85d
Removed incorrect technique 2020-06-03 17:51:57 -04:00
Trent Liffick
a2ca199e7d
added rules for Lazaurs and hhsgov 2020-06-03 17:38:03 -04:00
Sven Scharmentke
4ed512011a All Rules use 'TargetFilename' instead of 'TargetFileName'.
This commit fixes the incorrect spelling.
2020-06-03 09:00:59 +02:00
Florian Roth
7f2fa05ed3
Merge pull request #802 from Neo23x0/rule-devel
ComRAT and KazuarRAT
2020-05-28 11:16:44 +02:00
Florian Roth
39b41b5582 rule: moved DebugView rule to process creation category 2020-05-28 10:13:38 +02:00
Florian Roth
4ca81b896d rule: Turla ComRAT report 2020-05-26 14:19:22 +02:00
Sander Wiebing
3681b8cb56
Extended Windows processes 2020-05-26 13:56:51 +02:00
Sander Wiebing
f9f814f3b3
Shortened title 2020-05-26 13:06:27 +02:00
Sander Wiebing
a241792e10
Reduce FP of legitime processes
A lot of Windows apps does not have any file characteristics. Some examples:
- Gamebar: C:\\Program Files\\WindowsApps\\Microsoft.XboxGamingOverlay_3.38.25003.0_x64__8wekyb3d8bbwe\\GameBarFT.exe
- YourPhone: C:\\Program Files\\WindowsApps\\Microsoft.YourPhone_1.20022.82.0_x64__8wekyb3d8bbwe\\YourPhoneServer/YourPhoneServer.exe

All C:\Windows\System32\OpenSSH (scp, sftp, ssh etc) does not have a description and company.

Python 2.7, 3.3 and 3.7 does not have any file characteristics.

So I don't think it is possible to whitelist all options, maybe it is worthwhile to check the \Downloads\ folder otherwise it would be better to just delete the rule. All other suspicious folders are covered by /rules/windows/process_creation/win_susp_exec_folder.yml
2020-05-26 12:58:15 +02:00
Sander Wiebing
6fcf3f9ebf
Update win_netsh_fw_add.yml 2020-05-25 10:13:26 +02:00
Sander Wiebing
28652e4648
Add Windows Server 2008 and Windows Vista support
It did not support the command `netsh advfirewall firewall add`
2020-05-25 10:02:13 +02:00
Sander Wiebing
2678cd1d3e
Create win_netsh_fw_add_susp_image.yml
More critical version of the rule windows/process_creation/win_netsh_fw_add.yml with the suspicious image location check. 

Combined the following rules for the suspicious locations:
https://github.com/Neo23x0/sigma//blob/master/rules/windows/sysmon/sysmon_susp_download_run_key.yml
https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml
https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_run_locations.yml
2020-05-25 09:50:47 +02:00
Florian Roth
9cd9a301c2
Merge pull request #791 from SanWieb/master
added rule for Netsh RDP port opening
2020-05-23 16:50:31 +02:00
ecco
10ca3006f5 move rule where needed 2020-05-23 10:07:55 -04:00
Sander Wiebing
d310805ed9
rule: Netsh RDP port opening 2020-05-23 14:19:52 +02:00
ecco
9a7f462d79 move renamed bnaries rule to process creation (they made a lot of false positives in sysmon as there was no event id specified in the rule) 2020-05-23 07:17:56 -04:00
Florian Roth
12e1aeaf9f
Merge pull request #788 from Neo23x0/rule-devel
refactor: split up rule for CVE-2020-1048 into 2 rules
2020-05-23 09:54:43 +02:00
Florian Roth
34006d0794 refactor: simplified and extended expression in CVE-2020-1048 rule 2020-05-23 09:16:19 +02:00
Florian Roth
57c8e63acd refactore: split up rule for CVE-2020-1048 into 2 rules 2020-05-23 09:09:58 +02:00
Thomas Patzke
96fae4be68 Added CrachMapExec rules 2020-05-22 00:50:37 +02:00
Florian Roth
64e0e7ca72
Merge pull request #784 from Neo23x0/rule-devel
refactor: slightly improved Greenbug rule
2020-05-21 14:19:09 +02:00
Florian Roth
91c4c4ecc5 refactor: slightly improved Greenbug rule 2020-05-21 13:38:11 +02:00
Florian Roth
bbf78374b6
Merge pull request #783 from Neo23x0/rule-devel
Greenbug Rule
2020-05-21 09:55:46 +02:00
Florian Roth
9a3b6c1c77 docs: added MITRE ATT&CK group tag 2020-05-21 09:44:11 +02:00
Florian Roth
344eb713c5 rule: Greenbug campaign 2020-05-21 09:39:57 +02:00
ZikyHD
8963c0a65e
Remove duplicate 'CommandLine' in fields 2020-05-20 11:54:47 +02:00
ecco
fd386fe8eb standardize rules with Image and CommandLine instead of NewProcessName and ProcessCommandLine 2020-05-15 12:35:32 -04:00
Florian Roth
8e082283f0
Merge pull request #754 from Neo23x0/rule-devel
Rule devel
2020-05-15 12:07:04 +02:00
ecco
54cf535dbc remove false positives with cmd as child of services.exe (not specifically related to meterpreter/cobaltstrike) 2020-05-15 04:45:25 -04:00
Florian Roth
ab950fb89d fix: removed rules missing in master 2020-05-14 15:53:09 +02:00
Florian Roth
7652813c2c
Merge pull request #752 from zaphodef/fix/win_susp_script_execution_false_negatives
Widen the search as it gives too many false negatives
2020-05-13 21:02:12 +02:00
zaphod
78a5c743f2 Widen the search as it gives too many false negatives 2020-05-13 16:20:23 +02:00
Florian Roth
78a8266a1b
Merge pull request #749 from teddy-ROxPin/patch-6
Create win_advanced_ip_scanner.yml
2020-05-13 14:09:12 +02:00
Florian Roth
220a14f31c
fix: typo in contains 2020-05-13 12:38:54 +02:00
Florian Roth
a1856c5743
Update win_advanced_ip_scanner.yml 2020-05-13 11:56:25 +02:00
zaphod
a9ef7ef382 Fix a bad CommandLine search 2020-05-13 11:32:05 +02:00
teddy_ROxPin
bb17fd74ee
Create win_advanced_ip_scanner.yml
Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
2020-05-12 21:43:01 -06:00
Florian Roth
1104044f53 fix: delete duplicate rules 2020-05-11 10:55:02 +02:00
Florian Roth
2b18b66c16 Merge branch 'master' into rule-devel 2020-05-11 10:50:10 +02:00
Florian Roth
4366a95024 rule: Maze ransomware 2020-05-11 10:46:26 +02:00
Florian Roth
f96c3a5fd4 Merge branch 'master' into rule-devel
# Conflicts:
#	rules/proxy/proxy_ua_suspicious.yml
#	rules/windows/process_creation/win_install_reg_debugger_backdoor.yml
#	rules/windows/process_creation/win_susp_csc_folder.yml
2020-05-11 10:44:19 +02:00
Remco Verhoef
2d38cb7b52
fix incorrect use of global 2020-05-06 23:00:45 +02:00
Florian Roth
c71e10a7f3
Merge pull request #717 from Karneades/renamedbinary
Add netsh to renamed binary rule
2020-05-02 14:12:34 +02:00
Florian Roth
b4b9b0155f
Merge pull request #716 from Karneades/patch-1
Add rule to detect wifi creds harvesting using netsh
2020-05-02 14:12:10 +02:00
Maxime Thiebaut
4600bf73dc Update rules to follow the Sigma state specification
The [Sigma specification's status component](https://github.com/Neo23x0/sigma/wiki/Specification#status-optional) states the following:

> Declares the status of the rule:
>  - stable: the rule is considered as stable and may be used in production systems or dashboards.
>  - test: an almost stable rule that possibly could require some fine tuning.
>  - experimental: an experimental rule that could lead to false results or be noisy, but could also identify interesting events.

However the Sigma Rx YAML specification states the following:

> ```yaml
> status:
>     type: //any
>     of:
>         - type: //str
>           value: stable
>         - type: //str
>           value: testing
>         - type: //str
>           value: experimental
> ```

The specification confuses the `test` and `testing` state. This commit changes the `test` state into the `testing` state which is already used in the code-base:
 - [`sigma/sigma-schema.rx.yml`](a805d18bba/sigma-schema.rx.yml (L49))
 - [`sigma/tools/sigma/filter.py`](f3c60a6309/tools/sigma/filter.py (L26))
 - [`sigma/tools/sigmac`](4e42bebb34/tools/sigmac (L98))

Although not modifyable through a PR, the specification should furthermore be updated to use the `testing` state.
2020-04-24 20:50:31 +02:00
Andreas Hunkeler
7d437c2969
Add netsh to renamed binary rule 2020-04-20 17:12:25 +02:00
Andreas Hunkeler
d4e9606266
Improve netsh wifi rule another time due to arg shortcut 2020-04-20 16:40:03 +02:00
Andreas Hunkeler
af498d8a8c
Improve rule to detect argument shortcut in netsh wlan rule 2020-04-20 16:32:25 +02:00
Andreas Hunkeler
ba541c3952
Fix title for new netsh wifi rule 2020-04-20 16:20:45 +02:00
Andreas Hunkeler
d9e5274c9e
Add rule to detect wifi creds harvesting using netsh 2020-04-20 16:14:44 +02:00
vesche
3889be6255 Replace reference link for win_susp_netsh_dll_persistence 2020-04-10 01:05:10 -05:00
vesche
82db80bee6 Remove wrong mitre technique 2020-04-10 01:02:43 -05:00
vesche
72b821e046 Update win_susp_netsh_dll_persistence.yml 2020-04-09 11:16:18 -05:00
Thomas Patzke
551a94af04 Merge branch 'master' of https://github.com/tileo/sigma into pr-658 2020-04-08 22:43:48 +02:00
Florian Roth
4e3985866b
Update and rename sysmon_win_chm.yml to win_html_help_spawn.yml 2020-04-03 16:50:48 +02:00
mpavlunin
81d0f82272
Create new rule T1223
Suspicious Compiled HTML File
2020-04-03 16:56:26 +03:00
Florian Roth
c0ab9c5745
Merge pull request #671 from HarishHary/powershell_downgrade_attack
Powershell downgrade attack (small improvements)
2020-04-03 09:31:33 +02:00
Chris O'Brien
fe5dbece3d
Date typos...more than I thought... 2020-04-02 10:00:00 +02:00
Chris O'Brien
97c0872c81
Date typo. 2020-04-02 09:53:09 +02:00
Chris O'Brien
95e0b12d88
Fixed date typo - by the looks of the commit date the month/date were swapped. 2020-04-01 18:18:13 +02:00
Florian Roth
fe5b5a7782
Merge pull request #673 from j91321/rules-minor-fixes
Minor fixes to several rules
2020-03-28 13:27:05 +01:00
Florian Roth
bbb10a51f4
Update win_powershell_downgrade_attack.yml 2020-03-28 13:17:58 +01:00
Florian Roth
0e94eb9e86
Update win_powershell_downgrade_attack.yml 2020-03-28 13:12:07 +01:00
Justin Ellison
dabc759136
Eliminate title collision
Fixing the problem described in HELK here: https://github.com/Cyb3rWard0g/HELK/issues/442 where when running sigmac to generate elastalert rules, this rule has a title collision with another rule in the same directory and causes elastalert to fail to start.
2020-03-26 09:13:52 -05:00
Florian Roth
28953a2942 fix: MITRE tags in rule 2020-03-25 18:11:04 +01:00
Florian Roth
6584729a0d rule: powershell downloadfile 2020-03-25 14:58:14 +01:00
Florian Roth
35e43db7a7 fix: converted CRLF line break to LF 2020-03-25 14:36:34 +01:00
Florian Roth
17297193c7 Merge branch 'master' into devel 2020-03-25 14:18:11 +01:00
Florian Roth
50b0d04ee8 rule: Exploited CVE-2020-10189 Zoho ManageEngine 2020-03-25 14:02:53 +01:00
Florian Roth
28d8b87a0f rule: extended web shell spawn rule 2020-03-25 14:02:39 +01:00
j91321
1d86e0b4a5 Change falsepositives to array 2020-03-24 19:59:54 +01:00
j91321
c784adb10b Wrong indentation falsepositives 2020-03-24 19:55:41 +01:00
j91321
98a633e54c Add missing status and falsepositives 2020-03-24 19:53:41 +01:00
j91321
bc442d3021 Add path with lowercase system32 2020-03-24 19:48:24 +01:00
Thomas Patzke
c10332b06c
Merge pull request #663 from neu5ron/updates_sigmac_and_rules
Updates sigmac and rules
2020-03-22 00:22:31 +01:00
Harish SEGAR
ba3994f319 Fix of '1 of x' condition 2020-03-21 12:19:01 +01:00
Harish SEGAR
81b277ba1a suspicious powershell parent process... 2020-03-21 00:26:30 +01:00
Harish SEGAR
a88b22a1bd Fix namefield. 2020-03-20 23:34:15 +01:00
Harish SEGAR
67694e4ba7 Restructure new improvement to process_creation folder. 2020-03-20 23:29:32 +01:00
Florian Roth
6040b1f1f8
Merge pull request #668 from Neo23x0/devel
Devel
2020-03-19 18:36:31 +01:00
Florian Roth
8454f60a8e fix: reduced level due to false positives 2020-03-17 20:40:28 +01:00
neu5ron
4c94906d53 rule should be wildcard AND had a prepended ^ in one of the CommandLine conditions that would have caused to not trigger 2020-03-14 15:00:42 -04:00
Florian Roth
cbf0f43934
Merge pull request #655 from msec1203/msec1203-patch-1
add rule for suspicious use of csharp console by scripting utility
2020-03-09 18:01:12 +01:00
Florian Roth
6845fa21b3
fix: fixed several issues 2020-03-09 17:43:16 +01:00
David Szili
0947538228 MDATP schema changes
WDATP was renamed to MDATP (Microsoft Defendre ATP).
MDATP also had schema changes recently: https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-data-schema-changes/ba-p/1043914
The updates reflect these changes
2020-03-09 17:12:41 +01:00
Florian Roth
ddefb3bc58 Merge branch 'master' into devel 2020-03-07 11:06:25 +01:00
ecco
b9e4734087 fix sysmon registry rules with HKLM/HKU format as used since 02/2017 in sysmon 2020-03-04 12:47:42 -05:00
Florian Roth
6bbb166f3d rule: extended webshell rule with tomcat.exe 2020-03-04 14:25:57 +01:00
Florian Roth
53278c2a46
Merge pull request #649 from Neo23x0/devel
fix: avoiding FPs with Citrix software
2020-03-03 11:35:02 +01:00
Florian Roth
f98ad7a8df fix: wrong identifier 2020-03-03 11:25:02 +01:00
Florian Roth
be4242aca8 fix avoiding FPs with MpCmdRun
ParentImage: C:\Windows\System32\services.exe
CommandLine: C:\Program Files\Microsoft Security Client\\MpCmdRun.exe
2020-03-03 11:16:59 +01:00
Thomas Patzke
b63889af75 Fixed rules that likely will cause false negatives by fix 2020-03-01 23:14:53 +01:00
Thomas Patzke
0a62b8747e
Merge pull request #634 from EccoTheFlintstone/fp_fix3
Rule: restore initial behaviour matching single word with spaces on each side
2020-03-01 22:40:24 +01:00
Florian Roth
ada0edb822
Merge pull request #621 from wagga40/new_koadic_rule
New Koadic detection rule
2020-02-26 13:25:03 +01:00
Florian Roth
0ba6874645
Merge pull request #638 from Neo23x0/devel
Several false positives with new rules
2020-02-26 09:46:02 +01:00
Florian Roth
1c90d6badd
level increased 2020-02-26 09:42:31 +01:00
Florian Roth
c8afd4a16b
Merge pull request #637 from tjgeorgen/patch-1
fix missing status & description in status field
2020-02-26 09:40:55 +01:00
Florian Roth
4f3e3166d3 fixing false positives 2020-02-26 09:33:55 +01:00
Tom Georgen
74f3fe70cc
fix missing status & description in status field 2020-02-25 16:30:41 -05:00
ecco
3247d5692a wmiprvse subprocess: add fallback check on username instead of only logonid 2020-02-24 09:25:20 -05:00
ecco
df7356e829 Rule: restore initial behaviour matching single word with spaces on each side 2020-02-24 08:00:06 -05:00
ecco
aa1eff5419 fix FP on rmdir matching dir 2020-02-24 05:23:23 -05:00
Florian Roth
bfab143c7c
Merge pull request #632 from EccoTheFlintstone/fp_fix
fix false positive on taskkill.exe not related to service stop at all
2020-02-24 09:58:33 +01:00
ecco
f807dae69a fix false positive on taskkill.exe not related to service stop at all 2020-02-24 03:03:46 -05:00
ecco
1703b725d3 fix non ascii character in rule 2020-02-24 02:58:34 -05:00
Thomas Patzke
48d95f027c Merge branch 'oscd' 2020-02-20 23:11:57 +01:00
Thomas Patzke
373424f145 Rule fixes
Made tests pass the new CI tests. Added further allowed lower case words
in rule test.
2020-02-20 23:00:16 +01:00
Florian Roth
6413730810 fix: fixing too restrictive rule
https://twitter.com/Hexacorn/status/1229702521679118336
2020-02-18 10:43:22 +01:00
Florian Roth
04b97bd84c fix: character in filename 2020-02-18 10:19:48 +01:00
Florian Roth
cd607d4fed rule: process dump via rundll32 and comsvcs.dll's MiniDumpW 2020-02-18 10:04:55 +01:00
Florian Roth
73dfc847fc rule: changed lsass process dump to level high 2020-02-18 10:03:25 +01:00
Wagga
b9c745a1b2 New Koadic detection rule 2020-02-16 16:48:49 +01:00
yugoslavskiy
d0e284ae18 fix typo (duplicates) 2020-02-16 18:19:25 +03:00
Thomas Patzke
f118839664 Further fixes and deduplications
From suggestions of @yugoslavskiy in issue #554.
2020-02-16 14:03:07 +01:00
Thomas Patzke
77c927bc14 Revert "Moved rules with enrichments into unsupported"
This reverts commit ba83b8862a.
2020-02-15 22:52:06 +01:00
Florian Roth
080532d20c
logsource change
I've swapped the lines in the logsource section to make it clearer that the category "process_creation" covers all sources that generate process creation logs on the windows platform.
2020-02-07 15:47:27 +01:00
Tim Burrell (MSTIC)
f70f847524 additional gallium ttp
sha1 process creation only makes sense for sysmon
2020-02-07 14:08:40 +00:00
Thomas Patzke
7fdd6f7bce Swapped accidental deletion of older rule duplicate 2020-02-06 23:41:05 +01:00
Thomas Patzke
d7bd90cb24 Merge branch 'master' into oscd 2020-02-03 23:13:16 +01:00
Thomas Patzke
f7394d09e0 Deduplication 2020-02-03 22:41:55 +01:00
Thomas Patzke
815c562a17 Merge branch 'master' into oscd 2020-02-02 13:40:08 +01:00
Thomas Patzke
ba83b8862a Moved rules with enrichments into unsupported 2020-02-02 12:46:03 +01:00
Thomas Patzke
593abb1cce OSCD QA wave 3 2020-02-02 12:41:12 +01:00
Neis Markus
0d7f55948c additional execution observed 2020-02-02 08:07:00 +01:00
Florian Roth
aa8a0f5e1f
Merge pull request #606 from Neo23x0/devel
refactor: moved rues from 'apt' folder in respective folders
2020-02-01 18:25:19 +01:00
Florian Roth
03ecb3b8dc refactor: moved rues from 'apt' folder in respective folders 2020-02-01 17:59:26 +01:00
Florian Roth
6ea861da53
Merge pull request #605 from Neo23x0/devel
Winnti rule and helpful message in test script
2020-02-01 15:51:16 +01:00
Florian Roth
a752e6c95f rule: winnti group campaign against HK universities 2020-02-01 15:43:30 +01:00
Florian Roth
848e0c90e4
Merge branch 'master' into master 2020-01-31 14:45:29 +01:00
Florian Roth
82cae6d63c
Merge pull request #604 from Neo23x0/devel
New tests, colorized test output and rule cleanup
2020-01-31 07:07:13 +01:00
Florian Roth
ae2c186872 rule: wsreset.exe UAC bypass 2020-01-30 18:05:47 +01:00
Florian Roth
d42e87edd7 fix: fixed casing and long rule titles 2020-01-30 17:26:09 +01:00
Florian Roth
e79e99c4aa fix: fixed missing date fields in remaining files 2020-01-30 16:07:37 +01:00
Florian Roth
30d872f98f
Merge pull request #492 from booberry46/master
Bypass Windows Defender
2020-01-30 14:27:30 +01:00
Florian Roth
d2122b6b83
Merge pull request #594 from sreemanshanker/master
Sigma rule to Monitor for writing of malicious files to system32 and syswow64 folders
2020-01-30 09:14:58 +01:00
Florian Roth
a01773681a
fix: filename 2020-01-30 08:18:29 +01:00
Florian Roth
529e95e3a5
Fixed everything
This rule had a lot of errors and problems. 
- title
- file name 
- status stable > experimental
- field order
- indentation
- unnecessary use of regular expressions
- interesting fields incomplete
- missing date
- missing id
- reference not as list
2020-01-30 08:17:46 +01:00
Florian Roth
4c90e636b1
changed file name 2020-01-30 08:07:56 +01:00
Florian Roth
a935cea665
fix: condition 2020-01-30 08:06:53 +01:00
sreemanshanker
d5c7b4795d
Add files via upload 2020-01-30 11:29:01 +08:00
Florian Roth
a816f4775f rule: FromBase64String command line 2020-01-29 16:05:12 +01:00
Florian Roth
7786edac29 rule: dctask64.exe evasion techniques
https://twitter.com/gN3mes1s/status/1222088214581825540
2020-01-28 11:29:24 +01:00
Florian Roth
5f0589b787 rule: mstsc shadowing 2020-01-24 16:18:19 +01:00
Florian Roth
e24ea159f3 rule: split up renamed binary rule 2020-01-24 15:31:07 +01:00
GelosSnake
8fbe08d5fa Update win_system_exe_anomaly.yml
fixing to much original fork.
2020-01-24 15:31:06 +01:00
GelosSnake
9f3672fdc0 Update win_system_exe_anomaly.yml
Following sigma event I've noticed my twitter account was referenced:
https://twitter.com/GelosSnake/status/934900723426439170

Rule:
https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_system_exe_anomaly.yml

Seems like - '\SystemRoot\System32\\*' is missing and hence triggering an FP.
2020-01-24 15:31:06 +01:00
Justin Schoenfeld
5f8b152166 Added new sticky key attack binary 2020-01-24 15:31:06 +01:00
david-burkett
5d04c76f68 svchost spawned without cli 2020-01-24 15:31:06 +01:00
david-burkett
032c382184 corrected logic 2020-01-24 15:31:06 +01:00
David Burkett
991e3b8a51 Trickbot behavioral recon activity 2020-01-24 15:31:06 +01:00
Thomas Patzke
9bb50f3d60 OSCD QA wave 2
* Improved rules
* Added filtering
* Adjusted severity
2020-01-17 15:46:28 +01:00
Florian Roth
ba7c634f1a
More changes 2020-01-13 09:59:14 +01:00
Florian Roth
7bd820c151
Changes 2020-01-13 09:56:49 +01:00
sreemanshanker
ffcfcb70ad
Add files via upload 2020-01-13 13:21:06 +08:00
Thomas Patzke
ae6fcefbcd Removed ATT&CK technique ids from titles and added tags 2020-01-11 00:33:50 +01:00
Thomas Patzke
8d6a507ec4 OSCD QA wave 1
* Checked all rules against Mordor and EVTX samples datasets
* Added field names
* Some severity adjustments
* Fixes
2020-01-11 00:11:27 +01:00
Florian Roth
48f5f480fd fix: SCCM false positives with whoami.exe rule 2020-01-07 12:13:47 +01:00
Florian Roth
c007ecf90c
Merge pull request #585 from Neo23x0/devel
Devel
2019-12-30 15:08:43 +01:00
Florian Roth
5980cb8d0c rule: copy from admin share - lateral movement 2019-12-30 14:25:43 +01:00
Florian Roth
86e6b92903 rule: SecurityXploded tool 2019-12-30 14:25:29 +01:00
Florian Roth
5ad793e04a
Merge pull request #582 from tvjust/patch-1
Added new sticky key attack binary
2019-12-30 14:14:20 +01:00
GelosSnake
f574c20432 Update win_system_exe_anomaly.yml
fixing to much original fork.
2019-12-29 18:02:49 +02:00
GelosSnake
7e7f6d1182 Update win_system_exe_anomaly.yml
Following sigma event I've noticed my twitter account was referenced:
https://twitter.com/GelosSnake/status/934900723426439170

Rule:
https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_system_exe_anomaly.yml

Seems like - '\SystemRoot\System32\\*' is missing and hence triggering an FP.
2019-12-29 18:01:19 +02:00
Justin Schoenfeld
a1f07cdb4b
Added new sticky key attack binary 2019-12-29 08:32:23 -05:00
david-burkett
4a65a25070
svchost spawned without cli 2019-12-28 10:28:08 -05:00
david-burkett
35b4806104
corrected logic 2019-12-28 09:55:39 -05:00
David Burkett
474a8617e5
Trickbot behavioral recon activity 2019-12-27 21:25:53 -05:00
Florian Roth
fc8607bbea rule: whoami as local system 2019-12-22 18:50:26 +01:00
Florian Roth
fb76f2b9ac rule: CreateMiniDump 2019-12-22 08:29:12 +01:00